Not sure if this has been discussed before, and I apologize if I'm repeating another thread..

I'm currently working on a case that may end up costing an organization $500,000 in damages. As of right now, I'm working largely with open source utilities and winhex(forensics version). I've gotten word that given the potential cost, a few thousand dollars is money well spent if it helps in the investigation.
I'm interested in hearing from those of you that work with commercial software on a daily basis what your thoughts are on FTK vs. Encase vs. SMART.

I mainly deal in incident response and compromised hosts, attempting to determine the cause of compromise and generate a timeline of events and file activity. If anyone can recommend a version of any of the above that is well suited to incident response and post mortem analysis versus law enforcement use I'd appreciate it.

I have all 4 of the software programs that you refer to (WinHex, FTK EnCase & SMART) & can advise that whichever you choose to use very much depends on the circumstances of the case.

Imaging

All of the tools have imaging capabilities, but I like using SMART for this purpose. WinHex has a DOS based Replica tool which provides a true image of the target (as it sees it!!). FTK and EnCase create images which are not true copies as they embed the image files with error checking data (that is not to say that within that image file the true copy does not exist - it's just that there is also the additional data for checking purposes). These three work in a DOS/Windows environment and unless careful it may be possible to miss the fact that you are not aquiring the entire contents of the drive (ie in circumstances where a HPA has been created). SMART is a LINUX tool and creates a true bit image copy of the target and can create a separate file for the error checking purposes. If you try SMART you will be pleased with the available options and the fact that you can simultanously create multiple image files as well as clone the target.

It should be noted that these tools can all open image files created by the other tools... however, it makes sense that proprietary formats should only really be worked on using the software that created it. Using raw (true) images such as those created with SMART can be opened with any of the tools and there is no need to worry about proprietary formats.

Searching

The best tool of the four (in my experience) for keyword searching is FTK. FTK can create a keyword index of the entire image at the start of the process which makes futures searches easy. It is rare that you start a case with all the correct keywords... as a case develops, you often need to repeat searches with new keywords which can waste alot of time

examining complex structures

This is where EnCase is quite outstanding - it is cabable of breaking down complex file structures for examination, such as the registry files, dbx & pst files, thumbs db etc

Carving

For recovering files from unallocated space, I will commonly use EnCase, but will often try WinHex to do the same thing (basically because I really like WinHex & trust it more)

Incident Response

For incident response, all of the tools can be useful, but before I start, I would use a tool under the same OS as the system being examined. ie, I would definitely use SMART to examine a Linux machine and one of the others for a windows machine. For live incident response, we have been testing ProDiscover with some success

Unicode

We work with alot of foreign language systems & the ability of the software to interpret the different unicode code pages successfully is important. The only tool which has come close so far is EnCase, but it still leaves alot to guesswork

Comments

If you are working with incident response and especially if you deal with alot of Linux systems I would strongly recommend SMART. It is a tool that we have only bought a few months ago, but I am liking it more and more. I am also a great fan of Winhex (X-Ways forensics), but that is because you have a great deal of control over what you are doing - for automated forensic work (and hence greater efficiency) stick with EnCase or FTK. Lastly, do not overlook Pro Discover - very useful for the type of work you seem to be involved in.

In addition, we use tools such as Gargoyle (from Wetstone) which is useful for quickly identifying hacking tools or other malware on a system under investigation. Paraben e-mail examiner (both local and server versions) is also very useful where e-mail is part of your investigations.

This was probably too much info, but in a nutshell, all tools have their uses but just one will not meet every requirement. In your case I would probably get SMART as well as Pro Discover. If you've got more money to burn get one of EnCase or FTK.

Paul,
Thanks for the info.
I typically respond to incidents with a Helix CD in hand to any incident to grab a DD image. It works over the network, and can do live analysis on a system. I'm also trying to determine a way to use Harlan's forensic server project in my environment.

Do any of these products require a hardware write blocker during investigation? Up until recently I've done all of my work on a linux box, and I am just now starting to use windows as a forensics workstation.

Do any of the tools create a timeline of file activity?

How well do they handle an ext3 volume with a DD image contained within?

Interestingly enough..Wetstone is about 20 minutes from my location.
Thanks!

You mentioned Registry and dbx files, FTK hands down handles those better than Encase. Check out their registry viewer. If you write managed summary reports, you can pinpoint things in cases very nicely without all the fluff of having to look through a lot of entries which may not apply to a particular case.
_________________Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. "

If its a software case, you may also need to add some more specialist software such as IDA Pro and/or PE Explorer; for binaries/executables - helps to dig down, especially with elements such as security certificates, embedded file regions, packed code etc etc - stuff that FTK/Encase/Winhex won't pick up initially.....

First, I have never used SMART so I can only comment on FTK vs EnCase.

I agree with the comments that EnCase can make you a bit complacent. People tend to believe it more because it seems more professional(?)

The FTK Indexer is much better than most because you can add search terms after the fact. That is a huge time saver as the results are almost instantly displayed. I still don't think the FTK version of DTSearch is anywhere near as good as the standalone version though, at least regarding indexing speeds.

The EnCase Index needs work (a lot of work.)

The disadvantages for FTK include a lack of recursive export capabilities and a problem with the file naming convention in exported reports (1.70+.)

FTK doesn't carve files as well as EnCase.

Neither EnCase nor FTK does a very good job of reporting on problems or errors the products may encounter.

I have had issues with EnCase when mounting severely nested archives.

FTK Imager is great. I have used it live on a cd and on usb. I did have a couple of problems with FTK Imager on a live system recently but I worked around it.

I also use FTK Imager to verify images when working on-site.

EnCase's Linen is great too. You just can't beat Linen with Helix.

That is about my two cents on the comparison. I use both tools as well as others. These days I am using a lot more of XWays (WinHex Forensics) and I am getting to like it more and more. I also use Helix. For copying tasks I tend to use Evidence Mover or a new tool called File Analyst (www.litquest.com.) I have also bought Harlan's book and am working my way though his tools as well.